Skip to content

Pin GitHub Actions to commit SHAs#863

Merged
heemin32 merged 1 commit into
opensearch-project:mainfrom
Divyaasm:pin-actions-to-sha
Jun 10, 2026
Merged

Pin GitHub Actions to commit SHAs#863
heemin32 merged 1 commit into
opensearch-project:mainfrom
Divyaasm:pin-actions-to-sha

Conversation

@Divyaasm

Copy link
Copy Markdown
Contributor

Description

Pin all GitHub Action tag references to their corresponding commit SHAs.

Tags are mutable references that can be force-pushed to point to different commits, making them vulnerable to supply chain attacks. Commit SHAs are immutable and guarantee that the exact reviewed code is executed in CI workflows. This change pins all third-party actions to their current commit SHAs to prevent potential tampering.

Signed-off-by: Divya Madala <divyaasm@amazon.com>
@github-actions

Copy link
Copy Markdown

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🧪 No relevant tests
🔒 No security concerns identified
✅ No TODO sections
🔀 No multiple PR themes
⚡ No major issues detected

@github-actions

Copy link
Copy Markdown

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
General
Correct version comment mismatch

The commit SHA ee0669bd1cc54295c223e0bb666b733df41de1c5 corresponds to
actions/checkout@v3, not v2 as indicated in the comment. This mismatch could cause
confusion during maintenance and security audits.

.github/workflows/auto-release.yml [24]

-- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v3
Suggestion importance[1-10]: 7

__

Why: The comment indicates v2 but the commit SHA ee0669bd1cc54295c223e0bb666b733df41de1c5 actually corresponds to v3 of actions/checkout. This is a valid correction that improves accuracy and prevents confusion during maintenance, though it's a documentation-level fix rather than a functional change.

Medium

@heemin32 heemin32 merged commit 815a08e into opensearch-project:main Jun 10, 2026
16 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants